The Complete Guide to WordPress Security

Disclosure: Our content is reader-supported, which means we earn commissions from links on Crazy Egg. Commissions do not affect our editorial evaluations or opinions.

Cybercriminals come like thieves at night. 

In one fell swoop, they can ruin your customers’ trust, steal your revenue, and wipe out your WordPress site before you even have a chance to react. 

By following the strategies in this article, you can learn how to lock down your website to give it the best chance of fending off even the hardiest of hackers. 

Why WordPress Security Is So Important

Having a WordPress site is like living in a gated community. A team of security professionals regularly audits WordPress to ensure its core software can mitigate common security threats. That’s why it’s trusted by nearly half of the top 10 million websites on the internet. 

However, security risks can only be reduced but not totally eliminated. So, even if your website exists in the most secure neighborhood, cybercriminals can still creep into it. 

The good news is that security threats often don’t come from WordPress at all. As history would tell us, WordPress vulnerabilities occur because website administrators tend to let their guards down. Let’s not forget that Reuters became an easy target for hackers after failing to update its WordPress software to the latest version. It’s a cautionary tale of how a simple human error can expose your website’s security loopholes for all the hackers to exploit. 

Meanwhile, a 2020 Patchstack report reveals that out of all security vulnerabilities they identified, a whopping 96.22% can be attributed to third-party plugins and themes. This proves once again that WordPress’s core security features won’t mean anything if you don’t do your part in securing your website. 

If you think your website is too small to even bother with WordPress security, you’re treading on thin ice. According to the latest Sophos Security Threat Report, an average of 30,000 websites are hacked every day. These cyber thieves inject automatic scripts to all vulnerable websites, big or small. One security breach is enough to let them steal your revenue, block your website until you pay a ransom, or seize your customers’ sensitive information.

Worse, cybercriminals can also infect your WordPress site with malware and distribute it to all your users’ browsers. As a result, Google can penalize your site and throw away all your SEO efforts. 

By learning how to secure your WordPress site, you’ll realize that nothing is totally beyond your control. There are effective strategies you can apply to ensure sleazy hackers won’t get the upper hand.

Quick Tips to Improve WordPress Security Today

Hackers usually have their eyes on your hosting company first before getting to your website. If your web host employs lackluster security measures, you’re in a lot of trouble. 

It doesn’t make sense to invest a lot in WordPress security if the website itself lives in a house of cards. Therefore, you must evaluate how often your web host updates its server software and hardware, how stable its IT infrastructure is, and its disaster recovery plan for hacked websites. 

If you’re looking for a trustworthy hosting provider with top-notch security features, we recommend SiteGround. It’s one of the three hosting companies recommended by WordPress, so you can trust that your website will be in a safe environment. It’s also powered by Google Cloud, which means websites are secure and load remarkably fast. 

As one of our top recommendations for WordPress hosting, SiteGround offers superior website security through the following:

  • Latest PHP version with the latest security patches
  • Latest versions of all software that provide database services (FTP, SMTP, IMAP/POP3, HTTP, HTTPS)
  • ModSecurity installed on shared servers with weekly updates on security rules to protect sites from common attacks
  • Automatic updates for plugins and WordPress core software
  • Strict policies on data access 
  • Constant monitoring for security vulnerabilities
  • DDoS (distributed denial-of-service) attack protection through software and hardware firewalls
  • Daily backups and seamless backup restoration process
  • SFTP connection for more secure file transfers
  • Malware scanning through SG Site Scanner (formerly HackAlert)

By entrusting your site to a secure server with SiteGround, you’re already halfway toward achieving optimal WordPress security.

But even if you already own an established website that doesn’t use SiteGround, you can still use the checklist above to evaluate whether your current host is up to snuff. Reach out to your host’s customer support team or search its knowledge base to determine how it stacks up against SiteGround security-wise. 

Safeguard Your Device

Without your computer or mobile phone, there’s no way you can log in to your WordPress admin or upload files into it. 

But the same link between your device and WordPress site can also serve as an entry point for hackers. For instance, keyloggers can be introduced to your device so hackers can secretly track every key struck on your keyboard. It won’t take long before they figure out your WordPress login credentials and wreak havoc on your website. 

By securing your device, you can contain any future infection and prevent it from ever reaching your WordPress site. The following tips should get you off the right foot: 

  • Ensure both the operating system and web browser you use are updated. Each update can patch existing security vulnerabilities, so your device will have a better chance of repelling hacking activities.
  • Don’t access your website if you’re using a public Wi-Fi network. You may be able to connect to the internet for free, but it comes at the cost of your privacy. Public Wi-Fi networks are password-free, and they lack the security features you need to hide your device from the hackers’ prying eyes. 
  • Switch off Bluetooth when not in use. Most people tend to forget to turn off Bluetooth after activating it. Unfortunately, an idle Bluetooth can serve as another backdoor for hackers to take over your device. 
  • Shut down your computer after using it. Unless you’re running a web-based business that needs constant monitoring, you should make it a habit to shut down your computer at the end of the day. Letting it stay on but dormant for an extended period of time allows hackers to forge a connection with your network.
  • Ensure the built-in firewall is enabled. The firewall is a virtual fortification that makes your business network impenetrable by unauthorized entities. Both Windows and macOS have built-in firewalls, so check first if they’re enabled before you do anything online. 
  • Run or schedule regular virus and malware scans. Anti-virus software detects and blocks online threats to ensure your device is protected all the time. One of these threats is the spyware notorious for covertly monitoring your online activities and recording each keystroke you make. An anti-spyware can eliminate this malicious software and prevents it from stealing your WordPress password. The good thing is anti-virus products like McAfee and Norton include anti-spyware in their packages, so you won’t have to download it separately. 

Get Plugins Only From Trusted Sources

We use plugins to improve the functionality of WordPress sites. But plugins, especially those that come from questionable sources, can sometimes bring more harm than good. 

Hackers can steal a lot of legitimate plugins and then sneak malicious codes into them. Clueless users install these nulled plugins and themes, not knowing they’re walking straight into the hackers’ traps. 

To illustrate, the Washington Post ended up on the receiving end of an elaborate hacking incident perpetrated by the Syrian Electronic Army. The origin? A plugin that the Post installed to recommend related content to readers.  

If you don’t want a single plugin to end up being a backdoor for all malicious intruders, follow these best practices:

  • Don’t get plugins unless they’re from reputable sources. Are you looking for a free plugin? WordPress’s official repository is a safe place to start. Click the Plugins tab in your WordPress dashboard and then choose from the vast collection of plugins under the “Featured” or “Popular” categories. If the plugin you need is a premium one, purchase it directly from the developer’s website. Avoid downloading links from forums or shady websites promoting free versions of plugins they don’t own. 
  • Do due diligence before installing any plugin. Regardless of the plugin’s origin, there are telltale signs that suggest the plugin may not deserve a space on your WordPress site. Start by checking how many users have reviewed the plugin and the average rating they have given. Ensure the plugin has been updated recently, as those that their developers haven’t touched for a long time are often brimming with security vulnerabilities. Lastly, check if the plugin has a Terms of Service (TOS) and if it does, ensure it meets all the security requirements you’re looking for. 
  • Don’t add plugins to your WordPress site unless they’re necessary. If you’re unlucky, you may end up installing plugins that not only slow down your website but also endanger it through malicious codes. So unless the plugins are legitimate and indispensable to your website performance, don’t install them and look for non-plugin alternatives. 

Filter Malicious Traffic Through a Web Application Firewall (WAF)

A web application firewall is capable of targeting and blocking malicious traffic before it even reaches your website. 

This proactive approach to WordPress security comes in two forms. 

The more basic application-level firewall may slow down your website as it requires a plugin to work. Some plugins like All in One WP Security works at the server level by modifying your .htaccess and limiting access at the Apache level. Meanwhile, plugins like Shield and WordFence filter malicious traffic as soon as it reaches your server but before the WordPress scripts are loaded. 

If you want better protection while reducing server load, choose a DNS-level firewall instead. 

The DNS-level website firewall modifies your DNS records so all traffic will pass through a cloud proxy server first. Once the firewall is done filtering and blocking all malicious requests, the traffic will be rerouted to your website. Companies like Cloudflare and Sucuri offer this more advanced protection. 

Create Strong Passwords

From the words of the WordPress Security Team, your password is the “weakest link in the security of anything you do online.” No wonder hackers employ various tactics like brute force attack, phishing, and cross-site scripting, all in the name of stealing your password. 

Using weak passwords is like giving hackers a key to your front door. Get several steps ahead of these malicious actors by following these password-strengthening tips:

  • Change your WordPress password by going to the Users tab in the dashboard and selecting your profile. WordPress automatically generates a password suggestion with a matching strength meter to give you an idea of how strong it is. By default, WordPress only provides strong passwords. 
  • Strong passwords consist of at least 10 characters with no more than two similar characters in a row. They usually include at least one uppercase letter, one lowercase letter, one number, and one special character like an asterisk or exclamation point.
  • Avoid creating passwords that are mere permutations of your name, username, or website name. In addition, weak passwords are usually short, consist of numbers or alphabets only (instead of a mixture of both), and contain words found in the dictionary. 
  • If you own multiple WordPress sites, create a unique password for each of them. You should also create strong passwords for other possible entry points of hackers like your web hosting account, FTP accounts, database, and all the custom email addresses that use your website domain name. 
  • Strong passwords are often difficult to remember, so instead of writing them down on sticky notes, you can save them in an encrypted database like KeePass installed on your computer. If you want to save on drive space, you can also keep them in any of the trusted online password managers like LastPass or 1Password. 

Aside from beefing up your password, you can also add another layer of security by changing the default “admin” username to something more difficult to decipher. You can also install plugins like Really Simple Captcha to make your WordPress login page impenetrable to automated bots.

Enable Two-Factor Authentication

In its 2020 WordPress Threat Report, WordFence reveals it was able to block over 90 billion malicious login attempts targetting WordPress sites. The majority of these attempts prove futile, but with brute force attacks getting more intricate, you can no longer leave anything to chance. 

Creating a strong password is one way of mitigating the risk, but one security breach is all it takes to leak your login credentials. To bolster the security of your WordPress login page, you can take advantage of two-step or two-factor authentication.

As its name suggests, two-step authentication requires two steps before you can log in to your WordPress site. First, you need to enter your password. Once your password is validated, you need to prove your identity by entering a one-time password or code sent to you through text (SMS) or phone call. 

Since malicious intruders can’t have access to your password and device at the same time, two-step authentication is an efficient way to hackproof your WordPress site. 

To enable two-factor or two-step authentication in your site, you need to install any of the plugins created for this purpose. These include Google Authenticator, WordFence, Two-Factor Authentication, and Duo. 

After activating the plugin in your WordPress site, install an authenticator app like Authy on your phone. To link the authenticator app to your WordPress site, you will need to open the app and scan the QR code usually found in the two-factor authentication plugin’s settings page. 

When both are successfully linked to each other, you’ll automatically receive authentication codes after each time you enter your WordPress login password. Simply open the authentication app, enter the code you received, and you’re good to go. 

Restrict Access to Your WordPress Site

The battle against brute force attacks doesn’t only involve creating strong passwords. Even the strongest password in the world won’t eliminate the remote chance that hackers will decipher it. If you want to stop malicious actors from guessing your WordPress password, you have to take steps to prevent such an attempt from happening in the first place. 

There are three ways to do this: 

  • Change your default WordPress login URL. The login page of any WordPress website is usually located in yourdomain.com/wp-login.php or yourdomain.com/wp-admin. Since this is publicly known information, chances are hackers are aware of it too. Using a free plugin called WPS Hide Login, you can use a unique login URL known only to you, thereby preventing malicious actors from attacking their way to your WordPress admin page.
  • Limit login attempts. The success of brute force attacks lies in the number of attempts hackers make to figure out the right combination of username and password. Therefore, limiting their login attempts is a surefire way to stop hackers from striking it lucky. The free Login Lockdown plugin can record the IP address and the timestamp of every failed attempt. Once it reaches a certain number of failed attempts within a specific time, the login function will go on a full lockdown mode, preventing hackers from making further attempts. 
  • Assign minimal user permissions. Do you own a multi-author website? Follow the principle of least privilege to ensure no one will make unauthorized changes on your WordPress site. For example, never assign an Administrator role to a contributing writer when an Author role suffices. All new user accounts should be set to Subscriber role by default. Only grant temporary permissions when needed and revoke this privilege once the task is complete. Lastly, make it a habit to delete inactive accounts to eliminate any potential backdoors that hackers can exploit. 

Get an SSL Certificate

Secure Sockets Layer (SSL) is a protocol that encrypts the connection between your website and your users’ browsers. As a result, any information exchanged or transmitted between the two is out of reach of any third party.

By getting an SSL certificate, you can prevent hackers from eavesdropping on any communication your website makes with its users. You know a website has an SSL certificate if there’s a lock icon next to its URL and it uses HTTPS instead of the non-secure HTTP.

For ecommerce sites, an SSL certificate is a security feature they can’t succeed without. They accept online payments all the time, so it only makes sense that they protect their buyers’ credit card details from hackers who are always ready to sniff them. 

However, simple blogs can also benefit from having an SSL certificate. Google now labels non-HTTPS sites as “Not Secure” and rewards those with SSL certificates with a slight ranking boost.

SSL certificates are available from $50 to upwards of $100. Thankfully, ZeroSSL and a non-profit called Let’s Encrypt distribute a free SSL certificate with the end goal of making the internet a safer place. Most hosting providers offer a streamlined way of installing this free SSL inside your hosting cPanel, so make sure to inquire if you haven’t installed one yet. 

Lock Down File Permissions

When a website file is writable, it means the user has the right to modify it. Some files are writable by the webserver to ensure your WordPress site continues functioning as it should. However, giving write access to your files can open up your website to many security vulnerabilities, more so if it’s in a shared hosting environment. 

The key here is to strike a balance with file permissions. Make it too lax, and malicious actors can easily infiltrate your site. Make it too strict, and your website may lack the flexibility it needs to look and function at its best. 

To secure your website, it is recommended that you lock down file permissions and only allow write access when needed. If you want to upload files, you can also create folders with loosened restrictions specifically for this purpose. 

Locking down file permissions can be done with the help of a plugin. Alternatively, you can also complete the process through your hosting cPanel. However, you may need assistance from the hosting provider’s support team to prevent deleting files.

As a rule, the owner owns all the files. This means the user account has writable access to crucial files like the root WordPress directory, the WordPress administration area, and the bulk of the WordPress application logic.  

When the file needs write access from WordPress, it should be writable by the webserver. For example, files in the root directory are writable by the user account except for the .htaccess. The latter should be writable by the webserver if the owner wants WordPress to automatically generate rewrite rules. 

Automatically Log Out All Inactive Users

If you own a membership site or any website that requires users to log in, there’s always the risk of intruders hijacking their accounts. The root cause is users forgetting to log out of their accounts. Most of them get distracted and open new websites, oblivious of the previous site they logged into and running idle.

If you don’t want these inactive user accounts to attract hackers in droves, borrow the same strategy used by banking websites. These sites automatically log out their idle users to prevent their accounts from becoming access points for malicious actors. 

Regular WordPress sites can have this functionality by adding the Inactive Logout plugin. After installing and activating this plugin, go to its settings page and customize it according to your preference. Set how long the account can go idle before adding the logout message. Save the changes and see if the plugin works on the live site. 

Long-Term Strategies for WordPress Security

Securing your WordPress site is a continuous process that doesn’t end with simple security plugins. The strategies below will teach you that it requires commitment and determination to stay ahead of malicious intruders. 

After all, hackers’ malicious scripts never sleep, so always look for possible security breaches. 

Schedule Regular WordPress Backups

Backups serve as your insurance in case things go awry. 

And we’re not just talking about hackers successfully defacing your website. Human error, hardware failures, and a host of other catastrophes can also wipe out your WordPress site. Without backups to count on, all the efforts you’ve exerted to build your site will just be a memory. 

As the core strategy of your disaster mitigation plan, WordPress backups can be successful if you follow these rules: 

  • Set up automated backups. Backing up website data is usually the least of website owners’ priorities. It’s human nature not to see the value of something unless you went through the disaster yourself and realize the errors of your way. By relying on an automatic backup system, neither busy schedules nor laziness can prevent you from preparing for the unexpected. BlogVault and UpdraftPlus have the experience and technology to automate your website backups. Use any of these plugins or services to automatically duplicate your site while you focus more on other important matters. 
  • Back up both website files and database. Website files consist of the WordPress core installation and all the plugins, themes, and media files. On the other hand, the database holds all the content, comments, usernames, and passwords. Neither can work without the other, so make sure both are included in your regular backup schedule.
  • Establish a regular backup schedule. Depending on the type of WordPress site, you can schedule the backups to occur monthly, weekly, daily, or multiple times a day. For example, a news site that publishes new content round the clock can benefit from hourly backups, while a static site that doesn’t need regular updates can get by with a monthly schedule.
  • Store your backups offsite. Although most hosting providers offer backups as a courtesy, they are often hosted on the same server as the WordPress site. This means when disaster strikes the server, the backups will go down with it. Therefore, never wholly rely on your hosting company to do all the backups for you. Store the backups in an offsite location, a cloud storage service, an encrypted database in your computer, or read-only media. 
  • Keep multiple copies of your backup. As a rule of thumb, you should never be content with only one backup of your site. Following Schofield’s Second Law of Computing, your website data doesn’t exist unless you keep at least two copies of it. So, in addition to your primary backup, you should also generate at least two more backups of your backups and store them in a secondary and tertiary backup site, respectively. 

You can still perform manual backups but only do so if you know what you’re doing. Make sure you stick to a regular schedule and ask for assistance from your hosting provider’s customer support team should you run into snags. 

When it’s time to restore your backups, do a test run on a test domain or staging site first. Once you’ve ensured the data are complete and intact, you can restore the backup file on the live WordPress site. 

Keep the WordPress Core Software Up to Date

An outdated WordPress software is a magnet for all malicious activities. Known security vulnerabilities of previous WordPress versions are well documented and released in the public domain. Forget updating your website, and hackers can take advantage of these vulnerabilities to gain access to your website. 

By keeping your WordPress up to date, you’re letting its security features work for you instead of against you. Each update releases bug fixes and security patches to solve vulnerabilities identified in the previous versions. 

WordPress automatically releases minor updates but the major ones you have to install manually. To upgrade WordPress to its latest version, simply go to Dashboard and then Updates

Aside from the WordPress core software, plugins and themes that haven’t been updated are likewise vulnerable to security breaches. Make it a habit to update them as soon as notifications pop up in your WordPress dashboard. By keeping the plugins and themes up to date, you can ensure they will always work in tiptop shape. 

However, updates may not always end up as desired. The latest versions of your plugins or theme may not be compatible with the current WordPress version installed on your site, or vice versa. Hence, it’s considered best practice to keep regular backups of your site, especially before pushing any updates. 

Alternatively, you can also apply the updates on a development or staging site first. By doing so, you check for any problems and fix them before applying the updates to the live site. 

Keep Audit or Activity Logs

Especially if you manage multiple contributors in your WordPress site, it’s important to keep an eye on every activity in the backend. 

Audit or activity logs serve as your eyes that will continuously monitor your site while you’re away from it. These logs are a record of all the changes or modifications that happened to your website and those responsible for them. This way, you’ll know who logged in, installed the plugins, or changed the website content without your permission. It will alert you about any suspicious activity, so you can thwart hacking attempts even before they happen. 

And even if the hacking becomes successful, logs of all user activities can help with the forensics, helping you pinpoint what exactly happened and when. To create activity logs, you can use plugins like WP Activity Log or the free Activity Log

Conduct regular vulnerability scanning 

Like regular health checkups, WordPress security scans can help you spot vulnerabilities that you might have overlooked. These scans are part of a long-term proactive approach to keeping your WordPress site secure. It should be conducted at least once a month or quarterly, depending on the size and complexity of your WordPress site. 

Reliable made-for-WordPress scanners like WP Scan can audit your site and detect harmful codes injected by hackers, weak passwords, outdated plugins, and other security vulnerabilities. 

Next Steps

Security is at the core of every business strategy. But as the workforce becomes more mobile, the need for security services that can follow you wherever you go becomes more evident. Fortunately, VPN services enable you to browse the internet through public Wi-Fi without intruders feasting on your private information. Check out our top recommendations here and start securing your connection, computer, and WordPress site wherever you go.

Make your website better. Instantly.

Over 300,000 websites use Crazy Egg to improve what's working, fix what isn't and test new ideas.

Free 30-day Trial